Solved: Unable to connect via ssh to my ISR C921-4P

iewhf02i · ‎05-21-2023

I tried to configure the ssh on my c921-4p, I generated 1024 bit keys. Now when I try to connect using this,

ssh cisco@10.0.0.254

I get this error on my Mac OS terminal

Unable to negotiate with 10.0.0.254 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

On my IOS terminal this is the output,

*May 21 18:50:12.767: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

I tried this method here https://community.cisco.com/t5/switching/logging-ssh-3-no-match-no-matching-cipher-found-client-aes128/td-p/3690528 and added the following line to the config terminal,

ip ssh server algorithm encryption aes128-cbc 3des-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr

I tried the method described here https://community.cisco.com/t5/network-management/open-ssh/td-p/3930558 and I used the following commands

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-ctr -l cisco 10.0.0.254

ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -c aes128-ctr -l cisco 10.0.0.254

ssh -oKexAlgorithms=+diffie-hellman-group16-sha1 -c aes128-ctr -l cisco 10.0.0.254

I got these errors on my Mac OS terminal,

Unable to negotiate with 10.0.0.254 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Unable to negotiate with 10.0.0.254 port 22: no matching host key type found. Their offer: ssh-rsa

Unsupported KEX algorithm "diffie-hellman-group16-sha1"
command-line line 0: Bad SSH2 KexAlgorithms '+diffie-hellman-group16-sha1'.

And I got these errors on my IOS,

*May 21 19:20:12.711: %SSH-3-NO_MATCH: No matching kex algorithm found: client sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

*May 21 19:22:22.051: %SSH-3-NO_MATCH: No matching kex algorithm found: client sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group1-sha1,ext-info-c server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

*May 21 19:22:42.305: %SSH-3-NO_MATCH: No matching hostkey algorithm found: client ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256 server ssh-rsa

Not sure what's wrong or how I can fix it. What should I do? I have no idea what's going on.

M02@rt37 · ‎05-21-2023

OK @iewhf02i

As concerned this output:

Unable to negotiate with 10.0.0.254 port 22: no matching host key type found. Their offer: ssh-rsa

Is it possible to add option on your MAC

ssh -o HostKeyAlgorithms +ssh-rsa .....

?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

MHM Cisco World · ‎05-21-2023

Dh group is different DH14 and DH16.

iewhf02i · ‎05-21-2023

I have added more error messages, I am not sure what you mean by this.

M02@rt37 · ‎05-21-2023

Hello @iewhf02i,

Do you try to regenerate the RSA key pairs on the Router: with modulus 2048 ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

iewhf02i · ‎05-21-2023

M02@rt37 I used

crypto key zeroize rsa to remove the keys and I have tried modulus 1024, 2048 and 4096. I still get the same error messages.

M02@rt37 · ‎05-21-2023

OK @iewhf02i

As concerned this output:

Unable to negotiate with 10.0.0.254 port 22: no matching host key type found. Their offer: ssh-rsa

Is it possible to add option on your MAC

ssh -o HostKeyAlgorithms +ssh-rsa .....

?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

iewhf02i · ‎05-21-2023

M02@rt37 that did it, the command is,

ssh cisco@10.0.0.254 -oKexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa

Thanks so much!

Is there anyway I can modify the IOS config or switch to a newer encryption Algo so that I can enter with a simple ssh cisco@10.0.0.254 ?

M02@rt37 · ‎05-21-2023

You're welcome @iewhf02i

Updating the IOS version can help resolve compatibility issues and provide support for newer algorithms.

Do you have this command on your router?

ip ssh server algorithm

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

iewhf02i · ‎05-23-2023

Under that command ip ssh server algorithm ? I get 6 options.

Under authentication -> keyboard password publickey

Under encryption -> 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr

Under hostkey -> ssh-rsa x509v3-ssh-rsa

Under kex -> diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

Under mac -> hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512

Under publickey -> ssh-rsa x509v3-ssh-rsa

I just managed to get the latest IOS image I haven't figured out how to backup and upgrade it yet.

MHM Cisco World · ‎05-25-2023

ssh cisco@10.0.0.254 -oKexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa <<- this work

Under encryption -> 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr

Under hostkey -> ssh-rsa ~~x509v3-ssh-rsa~~

Under kex -> ~~diffie-hellman-group-exchange-sha1~~ diffie-hellman-group14-sha1

Under mac -> hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512

Under publickey -> ssh-rsa ~~x509v3-ssh-rsa~~

So, the remove any other hostkey and publickey propose by the router and try
ssh cisco@10.0.0.254

iewhf02i · ‎05-25-2023

I upgraded to the latest IOS version that just came out earlier this year, the algorithms are exactly the same, is there anything else I can do?

ganeshmekala88 · ‎05-31-2024

how to update the vios i am using gns3 for lab purposes and trying to connect to the cisco iosv router via unbuntu 22 version it says the same the keys were not matching

ganeshmekala88 · ‎05-31-2024

the above command works fine from connecting ubuntu host to cisco router is gns3 which is running with the vios

Thank you